A critical vulnerability has been discovered in Linux-based Ruckus access points (APs) that allows remote attackers to take control of vulnerable systems.
Followed by CVE-2023-25717 and first discovered in February, the flaw has recently been exploited by a new botnet called AndoryuBot, according to a new advisory from Fortinet.
“[AndoryuBot] it contains DDoS attack modules for different protocols and communicates with its command and control server through SOCKS5 proxies,” explained Fortinet Senior Antivirus Analyst Cara Lin.
“Based on our IPS [intrusion prevention system] signature trigger count […] this campaign began distributing the current version sometime after mid-April.”
Learn more about router-centric attacks here: Two-year data theft campaign targeting home workers
AndoryuBot uses the Ruckus vulnerability to gain entry to a device and then download a script for further dissemination. The particular variant spotted by Fortinet targeted Linux systems and was designed to infect different types of computer processors, including some used in smartphones, laptops and other electronic devices.
AndoryuBot uses a way to download itself called “curl”. However, Fortinet found a bug in the malware’s code that prevents it from running on some computers.
“Once a target device is compromised, AndoryuBot quickly extends itself and starts communicating with its C2 server using the SOCKS protocol,” Lin wrote. “Once the victim system receives the attack command, it launches a DDoS attack on a specific IP address and port number.”
According to Lin, AndoryuBot is quickly updated with more DDoS methods and waits for attack commands.
“Users should be aware of this new threat and actively apply patches to affected devices as soon as they become available,” Fortinet advised.
The warning provides IPS signatures for customers and indicators of compromise (IOC) for other system defenders to protect enterprises against threats identified in the exploit.
Its publication comes weeks after Akamai security researchers discovered a new DDoS botnet capable of launching attacks with data volumes reaching several Tbps.
As cyber threats continue to increase in frequency and sophistication, cyber security is becoming an increasingly important concern for businesses and organizations. The recent botnet campaign that is exploiting a flaw in Ruckus Wireless is an example of just how quickly malicious technology can propagate, and is a stark reminder of the dangers associated with outdated hardware and software.
Ikaroa, a full-stack technology provider, recognizes the importance of staying ahead of the latest cyber threats, and insists that all its clients ensure their networks remain secure. With a wide range of services that include monitoring, prevention, and responding to cyber threats, Ikaroa provides peace of mind and proactively keeps clients safe.
The malicious botnet campaign operates by enabling a malicious attacker to gain access to the routers and access points of Ruckus Wireless WLAN systems. Once the attacker has gained access, they can then spread malware, steal user credentials, and launch distributed denial-of-service (DDoS) attacks. As this malware is highly sophisticated and is able to spread across different networks, it can quickly compromise whole organizations.
Ruckus Wireless, who manufactures the equipment in question, has responded to the security flaw by patching its firmware to address the vulnerability. However, any organization that is using devices that are out of date or haven’t been patched, remain at risk.
Ikaroa advises all its clients, and all organizations using Ruckus Wireless devices, to take the necessary steps to patch their systems with the new firmware, as well as closely monitoring their networks for any suspicious activity. For organizations who lack the necessary expertise to keep their networks secure and updated, this could be a difficult task. Fortunately, Ikaroa is here to provide assistance and peace of mind. With its comprehensive cyber security solutions, it can protect its clients from these and other malicious attacks.
No organization can be too careful in the current cyber security climate and Ikaroa is dedicated to ensuring the security of its customers. To stay ahead of the latest threats, it is important for businesses and organizations to use a comprehensive cyber security solution like Ikaroa.